The vulnerability identified as CVE-2025-13109 affects the HUSKY – Products Filter Professional for WooCommerce plugin, a WordPress extension used to enhance product filtering capabilities in WooCommerce stores. The flaw is categorized under CWE-639, which involves authorization bypass through user-controlled keys. Specifically, the plugin's functions woof_add_query and woof_remove_query fail to properly validate keys supplied by authenticated users. This lack of validation allows attackers with subscriber-level privileges or higher to manipulate saved search queries in other users' profiles, including those of administrators. Such manipulation can alter the behavior of the plugin or the user experience by injecting or removing saved queries without proper authorization. Although the vulnerability does not expose sensitive data or disrupt service availability, it compromises the integrity of user-specific configurations. The attack vector is remote and network-based, requiring only low complexity and no user interaction beyond authentication. The vulnerability affects all versions up to and including 1.3.7.2 of the plugin. No patches or exploit code are currently publicly available, but the risk remains due to the widespread use of WooCommerce and this plugin in e-commerce environments.

The primary impact of this vulnerability is the unauthorized modification of saved search queries within user profiles, including those of administrators. This can lead to confusion, misconfiguration, or potential indirect exploitation if attackers use manipulated queries to influence plugin behavior or user decisions. While confidentiality and availability are not directly affected, the integrity of user data and configurations is compromised. For organizations, this could result in degraded user trust, potential disruption of e-commerce operations, and increased risk of further attacks if attackers leverage this foothold for privilege escalation or lateral movement. Since the vulnerability requires authenticated access at subscriber level or above, the risk is higher in environments with weak access controls or where subscriber accounts are easily compromised or created. The medium CVSS score reflects moderate risk, but the potential for misuse in targeted attacks against high-value WordPress sites is notable.

Organizations should immediately verify if they use the HUSKY – Products Filter Professional for WooCommerce plugin and identify the version in use. Since no official patch links are currently available, administrators should consider the following mitigations: 1) Restrict subscriber-level account creation and monitor for suspicious account activity to reduce the attack surface. 2) Implement strict role-based access controls and audit user permissions regularly. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous requests targeting the woof_add_query and woof_remove_query endpoints. 4) Monitor logs for unusual modifications to saved queries or profile data. 5) Engage with the plugin vendor or community to obtain or develop patches and apply them promptly once available. 6) Consider temporarily disabling the plugin or limiting its functionality if feasible until a fix is deployed. 7) Educate administrators and users about the risk and signs of exploitation to enable rapid response.